I, like probably most people in the IT industry, have been listening with intense interest to the news, editorials and debates about Huawei. My take, yes they most certainly could inject either hardware or firmware into their products that would intercept, and relay any and all communications from a device, be it a piece of personal tech, such as a smartphone, tablet, or laptaop or infrastructure such as routers or bridges, to a monitoring server. The problem is that whilst they could, they would, eventually, be found out. Once found out the reputational and trust damage would be universal, and permanent. It would damage any and all tech coming out companies within the controlling country’s government, and severely impact relations with that country, which in this case is China. Some would say that we already have proof that Huawei has installed listening and replicating chips in its hardware. My response would be, if that were proven to be the case, then I would have expected an explosion from the governments and security services across the western world banning the use of Chinese tech in IT.
Agreed, there has been a backlash against Huawei, and other Chinese comms manufactures, from the US, Australia, and to a lesser extent the UK, but nothing prohibative based on actual evidence. Indeed you could almost argue that the response is nothing more than that of protectionism on behalf of the Western governments against their Chinese competitors. The good thing about rumour is that you don’t have to prove it. Can Huawei, prove their innocence? Problably not. Should they need to? Well, in cases of National Security, you could argue we don’t take chances, we can only take the safe option, and with that I would agree. The problem is that whether you buy Huawei, Samsung, Apple, IBM, Cisco, BT, LG……. the chances are the some, if not all of the hardware, is sourced out of China. Are the Chinese monitoring our comms through the use of hacked hardware? Possibly, but ask yourself, if you were monitoring all internet traffic would you really be spending all the effort they currently are expending in trying to hack into the websites for which they have already have the admin usernames and passwords. Oh, and also, would you not have released some of the more intimate texts that must be out there from President Trump on his multitudinous adulterous liaisons.
Finally, how do you, in todays globally, interconnected, society, guarantee National Security? Well National Security Organisations, figure that one out for yourselves, but don’t forget the UK spied on France, Germany spied on (at least) both the UK and the USA, and you can bet your bottom dollar the USA is spying on everyone.
So the report by GCHQ into HUAWEI’s development processes has been published, and, apprently it doesn’t make for good reading, if you are Huawei that is. Multiple criticisms, from being unable to idenify what changes you are getting when you load a software update, to supposedly memory ‘SAFE’ library functions just being straight through wrappers onto the standard non-memory safe functions.
Implications. Well first HUAWEI’s hardware is vulnerable to attack, and second when you update you cannot be 100% certain what you are getting, or even if its a genuine Huawei update.
So no evidence of systemic backdoors for the State to infiltrate, just a wide open front door for anyone to wander in.